Forecasting complex multi-component time series within systems designed to detect anomalies in dataflows of industrial automated systems

Abstract

The need for detection, identification and prediction of anomalies emerged just a short time ago. This task brings multiple challenges that are mainly associated with recording and detection of novel attacks and influences. It draws attention of experts in network security and diagnostics of information and industrial systems. Detection of anomalies in dynamic dataflows largely determines the efficiency of management of computer network information security within information and industrial systems. At the same time, the technology of dynamic dataflow prediction is also very important for building systems intended to detect anomalies in data protection within industrial control systems. Any automated systems are based on available computer capabilities and advances in management theory, mathematical modeling and optimizations methods. Processes that occur in industrial automated systems and that are reflected in dataflows being observed constitute complex multi-component processes, thus making it more complicated to predict such processes. In this case, complex multi-component time series data should be predicted at different (short-term, medium-term and long-term) time scales. A neural network architecture matching the structure of the multi-component time series being predicted should be built for generating a multi-component prediction. It is proposed to decompose the complex multi-component time series into several basic components using the digital signal processing technology, i. e. to perform a preliminary structural analysis of multi-component time series within the observed range of all time series that reflect operation of the industrial control system. Separate predictions with different time horizon are formed for each basic component of the multi-component time series using the available neural network architecture and machine learning taking into account dynamic characteristics of the above components. Anomalies in the observed range of multiple time series that reflect operation of the industrial control system are detected (identified) through component-wise comparison of each component (resulted from the above preliminary digital processing) of any time series within the observed range of all time series, with each prediction of the relevant component of the above time series within the observed range of all time series. This approach that implies component-wise comparison will allow to detect anomalies within the range of observed time series of the industrial control system separately by their different dynamic characteristics, and thus will improve the efficiency of management of information security within information and industrial systems.